CB Response: Different AV Product Blocked a Malicious Binary, Response Sensor Did Not Report It
search cancel

CB Response: Different AV Product Blocked a Malicious Binary, Response Sensor Did Not Report It

book

Article ID: 285495

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

A "block" of a malicious binary was executed by a 3rd party AV product, however when searching in the CB Response console, that malicious process is not found.

Environment

  • CB Response:  All Versions

Cause

  • CB Response sensor observes running processes and does not execute a file scan.  Since the 3rd party AV blocked the execution, the CB Response sensor will not observe/report any running processes associated with the malicious binary.
  • The process that wrote the malicious binary can be found using filewrite_md5 (all versions) or filewrite_sha256 (in 6.3.1 or later) search parameters.  

Resolution

CB Response is working as designed.
Powered by Wolken Software